diff options
| author | Ray <[email protected]> | 2023-03-12 13:48:11 +0100 |
|---|---|---|
| committer | Ray <[email protected]> | 2023-03-12 13:48:11 +0100 |
| commit | b436c8d7e5346a241b00511a11585936895d959d (patch) | |
| tree | 3555a76b53a55c7517b7456e9ae7d847c811dc4f /src | |
| parent | ee3e40c663e138473fffb9abc58214f6be130f03 (diff) | |
| download | raylib-b436c8d7e5346a241b00511a11585936895d959d.tar.gz raylib-b436c8d7e5346a241b00511a11585936895d959d.zip | |
ADDED: Security check for `emscripten_run_script()` #2954
Diffstat (limited to 'src')
| -rw-r--r-- | src/rcore.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/src/rcore.c b/src/rcore.c index d6c8325e..eae49515 100644 --- a/src/rcore.c +++ b/src/rcore.c @@ -1994,7 +1994,9 @@ void SetClipboardText(const char *text) glfwSetClipboardString(CORE.Window.handle, text); #endif #if defined(PLATFORM_WEB) - emscripten_run_script(TextFormat("navigator.clipboard.writeText('%s')", text)); + // Security check to (partially) avoid malicious code + if (strchr(text, '\'') != NULL) TRACELOG(LOG_WARNING, "SYSTEM: Provided Clipboard could be potentially malicious, avoid [\'] character"); + else emscripten_run_script(TextFormat("navigator.clipboard.writeText('%s')", text)); #endif } @@ -2006,6 +2008,7 @@ const char *GetClipboardText(void) return glfwGetClipboardString(CORE.Window.handle); #endif #if defined(PLATFORM_WEB) +/* // Accessing clipboard data from browser is tricky due to security reasons // The method to use is navigator.clipboard.readText() but this is an asynchronous method // that will return at some moment after the function is called with the required data @@ -2019,7 +2022,7 @@ const char *GetClipboardText(void) // Another approach could be just copy the data in a HTML text field and try to retrieve it // later on if available... and clean it for future accesses - +*/ return NULL; #endif return NULL; @@ -2910,6 +2913,9 @@ void SetConfigFlags(unsigned int flags) void TakeScreenshot(const char *fileName) { #if defined(SUPPORT_MODULE_RTEXTURES) + // Security check to (partially) avoid malicious code on PLATFORM_WEB + if (strchr(fileName, '\'') != NULL) { TRACELOG(LOG_WARNING, "SYSTEM: Provided fileName could be potentially malicious, avoid [\'] character"); return; } + Vector2 scale = GetWindowScaleDPI(); unsigned char *imgData = rlReadScreenPixels((int)((float)CORE.Window.render.width*scale.x), (int)((float)CORE.Window.render.height*scale.y)); Image image = { imgData, (int)((float)CORE.Window.render.width*scale.x), (int)((float)CORE.Window.render.height*scale.y), 1, PIXELFORMAT_UNCOMPRESSED_R8G8B8A8 }; @@ -3536,12 +3542,8 @@ unsigned char *DecodeDataBase64(const unsigned char *data, int *outputSize) // Ref: https://github.com/raysan5/raylib/issues/686 void OpenURL(const char *url) { - // Small security check trying to avoid (partially) malicious code... - // sorry for the inconvenience when you hit this point... - if (strchr(url, '\'') != NULL) - { - TRACELOG(LOG_WARNING, "SYSTEM: Provided URL is not valid"); - } + // Security check to (aprtially) avoid malicious code on PLATFORM_WEB + if (strchr(url, '\'') != NULL) TRACELOG(LOG_WARNING, "SYSTEM: Provided URL could be potentially malicious, avoid [\'] character"); else { #if defined(PLATFORM_DESKTOP) |